From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#20223: 25.0.50; key-chord.el crashes Emacs
Date: Mon, 30 Mar 2015 18:04:26 +0300
Message-ID: <83y4mey1ad.fsf@gnu.org>
References: <874mp43ywp.fsf@xing.com>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: plane.gmane.org
X-Trace: ger.gmane.org 1427727934 20352 80.91.229.3 (30 Mar 2015 15:05:34 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Mon, 30 Mar 2015 15:05:34 +0000 (UTC)
Cc: 20223@debbugs.gnu.org
To: Jan Tatarik <jan.tatarik@gmail.com>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Mar 30 17:05:23 2015
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1YcbFe-00028w-Vn
	for geb-bug-gnu-emacs@m.gmane.org; Mon, 30 Mar 2015 17:05:19 +0200
Original-Received: from localhost ([::1]:34509 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1YcbFe-00017v-Cm
	for geb-bug-gnu-emacs@m.gmane.org; Mon, 30 Mar 2015 11:05:18 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:43379)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YcbFZ-00014f-Gg
	for bug-gnu-emacs@gnu.org; Mon, 30 Mar 2015 11:05:14 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YcbFP-0002zi-W5
	for bug-gnu-emacs@gnu.org; Mon, 30 Mar 2015 11:05:13 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:50826)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YcbFP-0002zT-SE
	for bug-gnu-emacs@gnu.org; Mon, 30 Mar 2015 11:05:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1YcbFP-0002Oc-M2
	for bug-gnu-emacs@gnu.org; Mon, 30 Mar 2015 11:05:03 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Mon, 30 Mar 2015 15:05:03 +0000
Resent-Message-ID: <handler.20223.B20223.14277278899180@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 20223
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 20223-submit@debbugs.gnu.org id=B20223.14277278899180
	(code B ref 20223); Mon, 30 Mar 2015 15:05:03 +0000
Original-Received: (at 20223) by debbugs.gnu.org; 30 Mar 2015 15:04:49 +0000
Original-Received: from localhost ([127.0.0.1]:40601 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1YcbFB-0002O0-5x
	for submit@debbugs.gnu.org; Mon, 30 Mar 2015 11:04:49 -0400
Original-Received: from mtaout23.012.net.il ([80.179.55.175]:44203)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <eliz@gnu.org>) id 1YcbF8-0002Nk-UK
	for 20223@debbugs.gnu.org; Mon, 30 Mar 2015 11:04:47 -0400
Original-Received: from conversion-daemon.a-mtaout23.012.net.il by
	a-mtaout23.012.net.il (HyperSendmail v2007.08) id
	<0NM1000005PZK800@a-mtaout23.012.net.il> for 20223@debbugs.gnu.org;
	Mon, 30 Mar 2015 18:04:40 +0300 (IDT)
Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout23.012.net.il
	(HyperSendmail v2007.08) with ESMTPA id
	<0NM1000375VRK010@a-mtaout23.012.net.il>;
	Mon, 30 Mar 2015 18:04:40 +0300 (IDT)
In-reply-to: <874mp43ywp.fsf@xing.com>
X-012-Sender: halo1@inter.net.il
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:101048
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/101048>

> From: Jan Tatarik <jan.tatarik@gmail.com>
> Date: Sun, 29 Mar 2015 12:01:42 +0200
> 
> This can be reproduced from emacs -Q, with just key-chord.el
> loaded. Happens with the latest key-chord available from MELPA
> (key-chord-20140929.2246.el). Tried with current emacs master.
> 
> (package-install-file "/PATH/TO/key-chord.el")
> (key-chord-define-global "vv" ctl-x-r-map)
> (key-chord-mode 1)
> 
> Pressing [vv b] will execute bookmark-jump, as expected.
> 
> But pressing the key-chord with a key that is not defined in the target
> map will crash Emacs immediately. Try [vv q], for instance.
> 
> Only the fact that matters is the key not defined in the map. The actual
> key-chord (tried vv, pf, others) nor the map affect the outcome.

This happens because key-chord triggers a situation where the value of
't' in the snippet below (from read_key_sequence) is not in sync with
the value of 'this_command_key_count':

      /* Record what part of this_command_keys is the current key sequence.  */
      this_single_command_key_start = this_command_key_count - t;

If 't' is greater than this_command_key_count, then
this_single_command_key_start will be assigned a negative value.  In
this scenario, the result is -2 (t is 4, while this_command_key_count
is 2).  Then this-single-command-keys will produce a vector with bogus
elements.  And when a key sequence is undefined, we invoke
'undefined', which does this:

  (message "%s is undefined" (key-description (this-single-command-keys)))

So we are trying to display bogus data, with predictable results.

The same problem happens if you type "v v b", but we escape narrowly
because this key sequence is bound to a command, so we don't try to
access the result of this-single-command-keys.

I can fix this with the simple patch shown below.  It looks like
papering over the problem, and perhaps it is.  But I couldn't find any
obvious place where this_command_key_count should have been
incremented, but wasn't.  We avoid incrementing it in this scenario
because the value of 'reread' variable is 'true', since we have events
in unread-post-input-method-events after invoking the "input-method"
provided by key-chord.

HTH

--- src/keyboard.c~	2015-03-08 08:16:29 +0200
+++ src/keyboard.c	2015-03-29 15:45:46 +0300
@@ -9591,6 +9591,8 @@ read_key_sequence (Lisp_Object *keybuf,
 
       /* Record what part of this_command_keys is the current key sequence.  */
       this_single_command_key_start = this_command_key_count - t;
+      if (this_single_command_key_start < 0)
+	this_single_command_key_start = 0;
 
       /* Look for this sequence in input-decode-map.
 	 Scan from indec.end until we find a bound suffix.  */